Dixons data breach leads to £500,000 fine

Dixons data breach leads to £500,000 fine

A Dixons data breach has led to the company being fined £500,000 by the ICO. At least 14 million people were affected after malware was installed on computer systems, allowing hackers to steal customers’ personal data.

The malware was installed on “point of sale” tills at stores for Currys, PC World, and Dixons travel. In addition to names, email addresses, and postcodes, the hackers also gained access to 5.6 million card details.

According to The Guardian:

Steve Eckersley, the ICO’s director of investigations, said the ICO had found “systemic failures” in the way Dixons Carphone looked after its customer data. “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” he said.

This demonstrates the importance of cybersecurity in today’s digital age. Dixons has made basic errors in its approach – despite the area of business it is in – and is now paying the price.

However, the fine could have been much greater. This Dixons data breach took place between July 2017 and April 2018, just before GDPR came into force. As a result, Dixons has been fined the maximum amount for a breach of the Data Protection Act 1998 instead, for which the penalties are much less severe.

For comparison, British Airways was fined £183 million for a data breach last year. Dixons has been fortunate in this case – although the same cannot be said for their customers. The Guardian goes on:

Eckersley said: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”


Alex Baldock, the group chief executive of Dixons Carphone, said the company disputed some of the ICO’s findings and was considering its grounds for appeal. The company had, he said, made significant investment in its information security systems and processes. There was “no confirmed evidence of any customers suffering fraud or financial loss as a result”, he added.


“We are very sorry for any inconvenience this historic incident caused to our customers,” said Baldock. “When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”

Click here to read The Guardian’s article in full.

Dixons has, at least, responded to the data breach in the proper way by notifying the ICO and doing what they could to limit the damage. Their cybersecurity failings, however, were considerable, and will hopefully be learned from.

Our GDPR consultants are here to help if you have concerns about your own data protection programme. Get in touch with us today to find out what we can do for you!

30% of EU businesses fail GDPR compliance

30% of EU businesses fail GDPR compliance

A new survey of EU firms by RSM has discovered that 30% admitted that they fail GDPR compliance – and that a further 13% were not certain whether they are compliant or not. This leaves only 57% confident in their data protection processes.

This is worrying news given that it has been over a year since GDPR came into force. All of these organisations should have been prepared in advance, and ensured that they were compliant before 25th May 2018.

But because they fail GDPR compliance, they are putting themselves at risk.

As reported by Silicon:

It seems that there is no single issue to blame for non-compliance, but middle market businesses are apparently struggling to understand and implement a whole range of areas covered by the regulation.


The survey found that more than a third (38 percent) of non-compliant businesses do not understand when consent is required to hold and process data, 35 percent are unsure how they should monitor their employees’ use of personal data and 34 percent don’t understand what procedures are required to ensure third party supplier contracts are compliant.


The good news however is that despite the lack of compliance, GDPR is starting to have a positive impact on cyber security.


According to RSM, almost three quarters (73 percent) of European businesses say GDPR has encouraged them to improve the way they manage customer data and 62 percent say it has seen them increase their investment in cyber security. But alarmingly 21 percent of businesses admit that they still have no cyber security strategy in place.

You can read the full article here: https://www.silicon.co.uk/security/security-management/third-not-gdpr-compliant-272411

It therefore seems as if GDPR’s overall effect so far has been mixed. But with fines starting to appear thanks to GDPR – with British Airways recently receiving a record penalty of £183 million from the ICO – firms need to start taking their compliance more seriously.

We would always advise that data protection should be by design and default. Aside from the potential financial dangers of not being GDPR compliant, these firms are also risking a loss of trust from their customers and not being as efficient as they could be.

If you’re concerned that your organisation fails GDPR compliance, or want to further improve your data protection procedures and therefore your efficiency, click here to contact us today and find out more about our GDPR consultancy packages.

Facebook will be fined $5 billion for Cambridge Analytica Scandal

Facebook will be fined $5 billion for Cambridge Analytica Scandal

The US data regulator, the Federal Trade Commission (FTC), has announced that it intends to fine Facebook $5 billion for its part in the Cambridge Analytica Scandal.

The fine that Facebook received from the UK’s ICO , coming pre-GDPR, was a mere £500,000 – but despite this being a huge amount more, many feel that it’s inadequate.

Here’s what Dave Lee, the BBC North America technology reporter had to say about it:


Facebook had been expecting this. It told investors back in April that it had put aside most of the money, which means the firm won’t feel much added financial strain from this penalty.


What we don’t yet know is what additional measures may be placed on the company, such as increased privacy oversight, or if there will be any personal repercussions for the company’s chief executive, Mark Zuckerberg.


The settlement, which amounts to around one quarter of the company’s yearly profit, will reignite criticism from those who say this amounts to little more than a slap on the wrist.

You can read the full news report here: https://www.bbc.co.uk/news/world-us-canada-48972327

It’s notable that the fine was only just passed by the FTC by 3 votes to 2, with those voting against it stating that it was insufficient, even though it would be the biggest ever brought by the FTC against a tech company.

Perhaps the most shocking thing is that Facebook shares actually rose 1.8% at the news, with investors receiving the news positively.

The debate will go on, but many will continue to think that Facebook got off lightly with just a $5 billion fine. If this had come under GDPR, it would likely have been in a great deal of trouble.

As it is, a mere £500,000 from the ICO – a record at the time, until the recent British Airways fine of £183 million – seems hardly worth mentioning.

Metropolitan Police hit with ICO enforcement notices

Metropolitan Police hit with ICO enforcement notices

met police data fineThe ICO has issued two enforcement notices against the Metropolitan Police Service, stating that its data protection failures have been “systematic”.

It’s a requirement of GDPR that all Data Subject Access Requests (DSARs) are responded to within one month, but the Met Police have struggled to keep up with the sheer volume they’ve received.

As reported by CBR:

Suzanne Gordon, Director of Data Protection Complaints and Compliance at the ICO wrote: “The MPS has failed in its data protection obligations by not responding to SARs within a calendar month and we have issued two enforcement notices ordering the MPS to respond to all requests by September 2019.”


A Metropolitan Police spokesman told Computer Business Review: “We are taking the enforcement notices very seriously and regret failing to meet our obligations.”

You can read the full article here: https://www.cbronline.com/news/metropolitan-police-ico-gdpr

The Met Police now has until the end of September to resolve this issue or else be hit with a fine by the ICO. However, the chief issue here is the lack of awareness about its obligations and the measures taken to meet them.

While the 500 DSARs it receives each month is a considerable volume to deal with, this should have been anticipated before GDPR ever came into force.

Furthermore, once it became clear that its current systems were insufficient, it should have changed its procedures to meet those obligations.

If you’re worried about meeting your own data protection obligations or are unsure what they are, get in touch with us via the Contact Form here or by emailing [email protected]!